K8S k8s(11)__Node加证书部署 发表于 2022-09-02 浏览量 509 没有评论 # Master设置集群信息 /usr/local/ssl/k8s/environment.sh ``` # 创建kubelet bootstrapping kubeconfig BOOTSTRAP_TOKEN=4873b03b10abc2797e293013e10e83b1 #注意换成自己的token KUBE_APISERVER="https://172.19.152.37:6443" # master地址 # 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=./ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=bootstrap.kubeconfig # 设置客户端认证参数 kubectl config set-credentials kubelet-bootstrap \ --token=${BOOTSTRAP_TOKEN} \ --kubeconfig=bootstrap.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=bootstrap.kubeconfig #---------------------- # 创建kube-proxy kubeconfig文件 kubectl config set-cluster kubernetes \ --certificate-authority=./ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=./kube-proxy.pem \ --client-key=./kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig ``` # 生成配置文件 ``` sh environment.sh ``` 生成的配置文件是给node节点用的,每台node节点都需要有这些文件! # 修改node公共参数 ``` vim /usr/local/kubernetes/conf/kubernetes KUBE_LOG_LEVEL="--v=2" KUBE_LOGTOSTDERR="--logtostderr=false" KUBE_LOG_DIR="--log-dir=/usr/local/kubernetes/logs/" ``` # Kube-proxy的启动 ``` cat /usr/lib/systemd/system/kube-proxy.service [Unit] Description=kube-proxy After=network.target [Service] EnvironmentFile=-/usr/local/kubernetes/conf/kubernetes ExecStart=/usr/local/kubernetes/bin/kube-proxy \ $KUBE_LOG_LEVEL \ $KUBE_LOGTOSTDERR \ $KUBE_LOG_DIR \ --kubeconfig=/usr/local/ssl/k8s/kube-proxy.kubeconfig [Install] WantedBy=multi-user.target ``` # kubelet客户端配置 vim /usr/local/kubernetes/conf/kubelet.config ``` kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 192.168.237.51 # 写node自己的IP port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs # 注意你自己docker类型 failSwapOn: false authentication: anonymous: enabled: true ``` # 创建集群角色绑定 ``` # master 上执行 kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap ``` # kubelet的启动 vim /usr/lib/systemd/system/kubelet.service ``` [Unit] Description=kubelet After=docker.target [Service] EnvironmentFile=-/usr/local/kubernetes/conf/kubernetes ExecStart=/usr/local/kubernetes/bin/kubelet \ $KUBE_LOGTOSTDERR \ $KUBE_LOG_LEVEL \ $KUBE_LOG_DIR \ --kubeconfig=/usr/local/ssl/k8s/bootstrap.kubeconfig \ --bootstrap-kubeconfig=/usr/local/ssl/k8s/bootstrap.kubeconfig \ --config=/usr/local/kubernetes/conf/kubelet.config \ --cert-dir=/usr/local/ssl/k8s \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 [Install] WantedBy=multi-user.target ``` # Master进行授权,控制器进行授权 ``` kubectl get csr kubectl certificate approve node-csr-ZrtjZ05vYOQMYStOsmjvsgCVzOBDh4u16zSdeN8iM-8 ```